Monday, December 1, 2014

In
this 6 part series, we will analyze a recent phishing attempt through an email
which was sent to me. In post
1, we looked at the email. In this the second post we look at the packet
capture and try to analyze it to see what we can learn

Analyzing the
Wireshark capture

As we look at the capture we see the following:

1. A TCP connection was made to
50.87.164.13 on port 80
2. In packet 4 a
"GET" request was made for "/services/invoice1211.php"
3. Packet 9 shows the server
responding with Status "200 OK"Analyzing the response from the server

1. The
server says Apache. However, I don't see any version information. Maybe this
header was crafted.

2. Content-length states that
2148 bytes were downloaded3. Looking into the file which
was downloaded we see some Ajax script. The point of interest to me was the
image below. This suggest it is looking at my browser before it makes further
decision. When I first looked at this I was thinking this would have been an
exploit kit. I was wrong. I said I was wrong because at least with an exploit
kit, I was expecting it to try to exploit my browser not try to get me to
download a file.

Analyzing the "POST" method

1. A few
packets later, we see another connection setup2. This time the HTTP method
was "POST"4. In packet 21 we see what
looks like we downloaded a "GIF" image. I find this interesting since
no images were seen on the page when the link was clicked.5. If we remember in the
previous "GET" request the get_params had some variables. If we look
below, we can see those variables filling out

Additional Analysis of the PCAP

1. As we
move through the capture we see a file named "invoice1211_pdf82.zip" which was downloaded.

2. The file
size was 10870 bytes

In the third post, we will perform some basic static
analysis of the file "invoice1211_pdf82.zip"
which was downloaded.

.pcap and .zip files from my
analysis. Please note, in no way am I responsible for any damage caused to your
computer and or other devices as a result of using these files.adp.pcap - 4cfd352a3c890873d20a33d35fffed25 invoice1211_pdf82.zip -
05fc7646cf11b6e7fb124782daf9fb53 References:Wireshark

Below is a list of threat intelligence websites that you can use. Cymon.io is an excellent one as it searches around 200 different sources. If you’re looking for a more exhaustive list of threat intel sites, check out https://github.com/rshipp/awesome-malware-analysis